MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4af035724851239914519c88f86ad910e2df4bf9f565952fd617c4f2dbc703e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Lucifer

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments 1

SHA256 hash:	4af035724851239914519c88f86ad910e2df4bf9f565952fd617c4f2dbc703e3
SHA3-384 hash:	99278a0346fea44f722ad766f69e3c2fbb8940684cee290ede421f28118c1e3e56a06671e4ade3a56c5dc8ee3c050e0f
SHA1 hash:	a9c0993714339ca5c4af0b7514449573cf6e706c
MD5 hash:	a6f19b89e5177af4d76b95a9d75ecfdf
humanhash:	hot-artist-orange-asparagus
File name:	42cf80d8d4918740cb4a52210d8919bd.exe
Download:	download sample
Signature	Lucifer Create hunting rule
File size:	1'998'895 bytes
First seen:	2020-03-31 20:35:13 UTC
Last seen:	2020-04-01 09:58:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep	49152:YhCQGVrh9tSBzKPBc0IQekGPlUXd07t2Z:yCQGVftSBePBc0skGPlUXdRZ
Threatray	400 similar samples on MalwareBazaar
TLSH	3595AE52B581C872D0A2017182BA8BF10D7EAE30DB2554DBA7C43D6A7A344D27B3E75F
Reporter	abuse_ch
Tags:	exe GuLoader Lucifer

abuse_ch

Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=194ObVOedG5e1zZBqiDQ08ML7VN_8Ph8g

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Generic-6296801-0

Win.Dropper.Securityxploded-6871294-0

PUA.Win.Adware.Kuaizip-6840562-0

Gathering data

Threat name:

Win32.Trojan.Securityxploded

Status:

Malicious

First seen:

2020-03-31 21:35:25 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

2/5

Verdict:

malicious

Label(s):

hawkeyekeylogger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 100ff377cfec636117efb72fc15f3c5ff5a7c1df0550b94db14659ee06c4f357

GuLoader

exe 81bd7f9b814b466a614b8b165ef83081e2ea36f8bcf08b59fa7f9bbbad22c80f

Lucifer

exe 4af035724851239914519c88f86ad910e2df4bf9f565952fd617c4f2dbc703e3

(this sample)

Dropped by

MD5 42cf80d8d4918740cb4a52210d8919bd

Dropped by

MD5 137c4249b0cd2b88267a56a6ad2753fd

Dropped by

GuLoader

Dropped by

SHA256 81bd7f9b814b466a614b8b165ef83081e2ea36f8bcf08b59fa7f9bbbad22c80f

Dropped by

SHA256 01dda58236e5f3c877ea944ce19f507a0a68022d9c009cc9c3cca2d25e641fda

URLhaus

https://urlhaus.abuse.ch/url/333128/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

commented on 2020-04-01 09:58:23 UTC

COVID-19 themed malspam distributing GuLoader with unknown payload:

HELO: smtp02-sa.serv.net.mx
Sending IP: 201.150.39.118
From: eduardo.rendon@ayco.com.mx
Subject: RV: Declaración de Ayco (COVID-19)
Attachment: noCONVIDcrisis.zip (contains "noCONVIDcrisis.bat")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=194ObVOedG5e1zZBqiDQ08ML7VN_8Ph8g

Final payload is unknown, but beacons to posit.monster:
http://posit.monster/luci/Panel/lucifer/gate.php